Analysis Report soft.dll

Overview

General Information

Sample Name: soft.dll
Analysis ID: 430072
MD5: 627c8a536ed728b1b9e6d2dad958ac0c
SHA1: 03f6ab6dd415ca980cc0ab1f36f3d306e18c99bc
SHA256: 10ab600004b40a318004a19a90374c6430dcf5b2219dda9e6e017a424e3e0503
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: soft.dll Virustotal: Detection: 13% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: soft.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: soft.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Until\moon\old-speak\bright\come.pdb source: loaddll32.exe, 00000000.00000002.526260148.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.505285261.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.491588581.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.498620240.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.533256829.000000006E234000.00000002.00020000.sdmp, soft.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FEF8D FindFirstFileExW, 0_2_6E1FEF8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose, 0_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FEF8D FindFirstFileExW, 3_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose, 3_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FEF8D FindFirstFileExW, 6_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose, 6_2_6E1FF349

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E2485 NtQueryVirtualMemory, 6_2_6E1E2485
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E210EFC 0_2_6E210EFC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E205F50 0_2_6E205F50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1FD2 0_2_6E1F1FD2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1D6D 0_2_6E1F1D6D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E20EA21 0_2_6E20EA21
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1AF9 0_2_6E1F1AF9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E205B20 0_2_6E205B20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E6BDF 0_2_6E1E6BDF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F18C7 0_2_6E1F18C7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E20E901 0_2_6E20E901
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E205600 0_2_6E205600
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E206616 0_2_6E206616
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1686 0_2_6E1F1686
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1454 0_2_6E1F1454
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1213 0_2_6E1F1213
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F2237 0_2_6E1F2237
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E204277 0_2_6E204277
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2130C4 0_2_6E2130C4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E209110 0_2_6E209110
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E210EFC 3_2_6E210EFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E205F50 3_2_6E205F50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F1FD2 3_2_6E1F1FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F1D6D 3_2_6E1F1D6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E20EA21 3_2_6E20EA21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F1AF9 3_2_6E1F1AF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E205B20 3_2_6E205B20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E6BDF 3_2_6E1E6BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F18C7 3_2_6E1F18C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E20E901 3_2_6E20E901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E205600 3_2_6E205600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E206616 3_2_6E206616
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F1686 3_2_6E1F1686
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F1454 3_2_6E1F1454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F1213 3_2_6E1F1213
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F2237 3_2_6E1F2237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E204277 3_2_6E204277
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2130C4 3_2_6E2130C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E209110 3_2_6E209110
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E2264 6_2_6E1E2264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E205600 6_2_6E205600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F1686 6_2_6E1F1686
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E210EFC 6_2_6E210EFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E205F50 6_2_6E205F50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F1FD2 6_2_6E1F1FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F1454 6_2_6E1F1454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F1D6D 6_2_6E1F1D6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E20EA21 6_2_6E20EA21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F1213 6_2_6E1F1213
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F2237 6_2_6E1F2237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F1AF9 6_2_6E1F1AF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E205B20 6_2_6E205B20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F18C7 6_2_6E1F18C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E2130C4 6_2_6E2130C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E20E901 6_2_6E20E901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E209110 6_2_6E209110
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1E33B0 appears 59 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1F8C8A appears 54 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1FE6CA appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1E33B0 appears 60 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1F8C8A appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1FE6CA appears 63 times
Sample file is different than original file name gathered from version info
Source: soft.dll Binary or memory string: OriginalFilenamecome.dllx, vs soft.dll
Uses 32bit PE files
Source: soft.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal56.troj.winDLL@11/0@0/0
Source: soft.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Source: soft.dll Virustotal: Detection: 13%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\soft.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: soft.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: soft.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Until\moon\old-speak\bright\come.pdb source: loaddll32.exe, 00000000.00000002.526260148.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.505285261.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.491588581.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.498620240.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.533256829.000000006E234000.00000002.00020000.sdmp, soft.dll
Source: soft.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: soft.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: soft.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: soft.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: soft.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E1F31 LoadLibraryA,GetProcAddress, 6_2_6E1E1F31
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E216E00 push ecx; mov dword ptr [esp], ecx 0_2_6E216E01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E33F6 push ecx; ret 0_2_6E1E3409
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E216E00 push ecx; mov dword ptr [esp], ecx 3_2_6E216E01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E212342 push ecx; ret 3_2_6E212355
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E33F6 push ecx; ret 3_2_6E1E3409
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E2200 push ecx; ret 6_2_6E1E2209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E2253 push ecx; ret 6_2_6E1E2263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E216E00 push ecx; mov dword ptr [esp], ecx 6_2_6E216E01

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 2.8 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FEF8D FindFirstFileExW, 0_2_6E1FEF8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose, 0_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FEF8D FindFirstFileExW, 3_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose, 3_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FEF8D FindFirstFileExW, 6_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose, 6_2_6E1FF349

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E20DE00 IsDebuggerPresent,OutputDebugStringW, 0_2_6E20DE00
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E1F31 LoadLibraryA,GetProcAddress, 6_2_6E1E1F31
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE88E mov eax, dword ptr fs:[00000030h] 0_2_6E1FE88E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h] 0_2_6E1FE8D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE916 mov eax, dword ptr fs:[00000030h] 0_2_6E1FE916
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE947 mov eax, dword ptr fs:[00000030h] 0_2_6E1FE947
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F567F mov eax, dword ptr fs:[00000030h] 0_2_6E1F567F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h] 0_2_6E1FE6F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F5704 mov ecx, dword ptr fs:[00000030h] 0_2_6E1F5704
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE73B mov eax, dword ptr fs:[00000030h] 0_2_6E1FE73B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE77E mov eax, dword ptr fs:[00000030h] 0_2_6E1FE77E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h] 0_2_6E1FE7D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE88E mov eax, dword ptr fs:[00000030h] 3_2_6E1FE88E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h] 3_2_6E1FE8D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE916 mov eax, dword ptr fs:[00000030h] 3_2_6E1FE916
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE947 mov eax, dword ptr fs:[00000030h] 3_2_6E1FE947
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F567F mov eax, dword ptr fs:[00000030h] 3_2_6E1F567F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h] 3_2_6E1FE6F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F5704 mov ecx, dword ptr fs:[00000030h] 3_2_6E1F5704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE73B mov eax, dword ptr fs:[00000030h] 3_2_6E1FE73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE77E mov eax, dword ptr fs:[00000030h] 3_2_6E1FE77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h] 3_2_6E1FE7D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F567F mov eax, dword ptr fs:[00000030h] 6_2_6E1F567F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h] 6_2_6E1FE6F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F5704 mov ecx, dword ptr fs:[00000030h] 6_2_6E1F5704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE73B mov eax, dword ptr fs:[00000030h] 6_2_6E1FE73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE77E mov eax, dword ptr fs:[00000030h] 6_2_6E1FE77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h] 6_2_6E1FE7D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE88E mov eax, dword ptr fs:[00000030h] 6_2_6E1FE88E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h] 6_2_6E1FE8D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE916 mov eax, dword ptr fs:[00000030h] 6_2_6E1FE916
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1FE947 mov eax, dword ptr fs:[00000030h] 6_2_6E1FE947
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E201302 GetProcessHeap, 0_2_6E201302
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1F4EA3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E2918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E1E2918
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E32F2 SetUnhandledExceptionFilter, 0_2_6E1E32F2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E315D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1E315D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1F4EA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E2918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E1E2918
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E32F2 SetUnhandledExceptionFilter, 3_2_6E1E32F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E315D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1E315D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6E1F4EA3

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E340B cpuid 0_2_6E1E340B
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E209E4F
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E209F55
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E209D29
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E209A4B
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E209AD6
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E1F8821
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E209947
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E2099B0
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6E2096A5
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E1F8721
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E1F87F8
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E20A024
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E1F9144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E209E4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E209F55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E209D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E209A4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E209AD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E1F8821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E209947
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E2099B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E2096A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E1F8721
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E1F87F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E20A024
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E1F9144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 6_2_6E1E1566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_6E209E4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 6_2_6E2096A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6E1F8721
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_6E209F55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6E1F87F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_6E209D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6E209A4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_6E209AD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_6E20A024
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6E1F8821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_6E1F9144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6E209947
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6E2099B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E3080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E1E3080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 6_2_6E1E146C

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
No contacted IP infos